Link Search Menu Expand Document

AD_Audit_Policy_Change

ID: 100274

Description:

EventID 4719: System audit policy was changed

Repository: Fluency Group: AD Type: event

Default Status:

Enabled

Tags:    
ActiveDirectory AD Active Directory
     

Selector:

Query:

Filters:

Field MUST hit
@eventType nxlogAD
@fields.EventID 4719
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@fields.Hostname asset application activity

Risks:

Risks Base Score Dimension
Timeline 0 -

Attributes:

Alias Key
Hostname @fields.Hostname
Category @fields.Category
Subcategory @fields.Subcategory
TaskCategory @fields.TaskCategory
AuditPolicyChanges @fields.AuditPolicyChanges
SubjectFullName @fields.SubjectFullName
Message @message

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 30 days @fields.SubjectUserName
  Risks: ML_NEW_USER
NewTaskCategory 30 days @fields.TaskCategory
  Risks: ML_NEW_SERVICE
NewCategory 30 days @fields.Category
  Risks: ML_NEW_APP
NewSubcategory 30 days @fields.Subcategory
  Risks: ML_NEW_APP

Aggregation:

Name Window Field AggType Match
MultipleAlerts 1 hour   count gt 150
  Risks: BANDWIDTH_ANOMALY    

History:

User Date
ho*d@fluencysecurity.com 2021 Jul 15 15:08:27 EDT
ho*d@fluencysecurity.com 2021 Jul 30 18:45:20 EDT
ku*n@fluencysecurity.com 2022 Feb 17 14:19:45 EST

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)